search

forcedotcom / sfdx-scanner

MIT License
208 stars 49 forks source link

LimitPermissionSetAssignment #1478

Closed GaneshSMC closed 3 weeks ago

GaneshSMC commented 1 month ago

Have you verified this is Salesforce Code Analyzer specific?

Yes

Description

Ensure that DML operations against PermissionSetAssignment use trusted input.

/**
Name: AccountTriggerTest
*/
        // Assign the permission set to the user
        PermissionSetAssignment psa = new PermissionSetAssignment(
            AssigneeId = testUser.Id,
            PermissionSetId = permissionSet.Id
        );
        // Insert the permission set assignment
        insert psa;

Output / Logs

No response

Steps To Reproduce

1.Ran the below command : sf scanner run --engine pmd-appexchange --format csv --outfile CodeAnalyzerPmdAppExchange.csv --target ./

Expected Behavior

I expect the result should be clear since its a Test class

Operating System

Windows 11

Salesforce CLI Version

@salesforce/cli/2.41.8 win32-x64 node-v20.12.2

Code Analyzer Plugin (@salesforce/sfdx-scanner) Version

@salesforce/sfdx-scanner 3.24.0

Additional Context (Screenshots, Files, etc)

No response

Workaround

No response

Urgency

Critical

jfeingold35 commented 1 month ago

@GaneshSMC , we can look into this, but could you clarify why this issue is Critical?

stephen-carter-at-sf commented 1 month ago

@GaneshSMC Can you clarify what the issue is. Are you saying, you are receiving a violation but expect not to because the code is a test and not source code? If so, have you tried specifying the --target to only include your source files and not your test files?

GaneshSMC commented 1 month ago

Hello @jfeingold35 @stephen-carter-at-sf We have submitted our application for a security review. Salesforce initially identified some violations, which we resolved. However, in the latest scan, new violations have emerged that were not previously detected, even though the code remains unchanged. We now need to address these new issues and resubmit our application.

I'm having an Permission set assignment in my test class. On scan run it has been identified as an violation LimitPermissionSetAssignment . I referred this link where i cant able to find my solution https://github.com/forcedotcom/sfdx-scanner/blob/dev/pmd-appexchange/docs/LimitPermissionSetAssignment.md. Also referred this https://github.com/forcedotcom/sfdx-scanner/issues/1414

What does LimitPermissionSetAssignment means ? What should i consider before using an permission set assignment in my application so that i don't meet any violations. Got this as description "Ensure that DML operations against PermissionSetAssignment use trusted input." what trusted input refers to here.

Also as per your words If so, have you tried specifying the --target to only include your source files and not your test files? sf scanner run --engine pmd-appexchange --format csv --outfile CodeAnalyzerPmdAppExchange_3.csv --target C:\Users\DELL\HBAVersion2Prod\force-app\main\default\classes2 ran this command with only source code and results we got is 0 violations image Does Test class violations are neglected in security review?

stephen-carter-at-sf commented 1 month ago

You'll have to ask the security team what they require - if the test classes can be skipped during the scan or not. Also, this is one of their rules, so they should be able to respond. Please ask the security review team, and then report back here so that we can close this issue. Thank you.

stephen-carter-at-sf commented 3 weeks ago

I just confirmed that for now you can ignore test class based violations here. In the near future we'll have these rules updated for most cases to not mark test classes as vulnerabilities here.